hardeneks icon indicating copy to clipboard operation
hardeneks copied to clipboard
verified publisher icon aws-samples

Read-only root file system check broken if the container.security_context not defined

Open alen-caljuksic opened this issue 2 years ago • 2 comments

It seems to me pod should be added to an offender list when container.security_context not defined: https://github.com/aws-samples/hardeneks/blob/main/hardeneks/namespace_based/security/pod_security.py#L146

alen-caljuksic avatar Aug 21 '23 13:08 alen-caljuksic

hi, thank you for creating an issue. Can you elaborate a little bit? In the linked scenario if security_context does not have the read_only_root_filesystem attribute it gets added to the list of offenders. Is there a different check that you are looking for?

dorukozturk avatar Sep 12 '23 01:09 dorukozturk

Hi @dorukozturk

what if the container doesn't have this parameter?

securityContext:
  readOnlyRootFilesystem: true

I can see, that is not added to offender list, which is wrong. CMIIW.

Maybe this is what @alen-caljuksic meant:

pod should be added to an offender list when container.security_context not defined

It works fine when I have this parameter:

securityContext:
  readOnlyRootFilesystem: false

Screenshot 2024-07-23 170940

za avatar Jul 23 '24 10:07 za